How to customize SpamAssassin!!

SpamAssassin can be configured from cPanel of each domain. It can be customized further by
adding rules or filters.

In order to specify custom rules for a domain, you need to create the file
~/.spamassassin/user_prefs’ for each domain.

For eg, for the domain under the account letushare, you need to create a file /home/letushare/.spamassassin/user_prefs and add the custom rules.

A simple rule,


This rule does a simple case-sensitive search of the body of the email for the string 
“test” and adds a 0.1 to the score of the email if it finds it. It will match “test”
but also “testing” and “attest”. The describe statement contains the text which will
be placed into the verbose report, if verbose reports are used.


Changing Exim interface IP !!

In order to change the exim interface IP, do the following :

Editing /etc/mailips : This file controls the IP address from which each domains
should send mail. You will need to create and open the /etc/mailips file for editing using
your preferred text editor. You will need to configure this file in the following way:

*: (<- desired IP )

Disable this option,

From WHM »Service Configuration »Exim Configuration Manager>>
Domain and IPs>> Send mail from account’s dedicated IP address "on"

And enable this option,

Reference /etc/mailips for outgoing SMTP connections.

And now, restart the exim service.

An alias to a subdomain ? — Plesk

Need a domain alias for a sub-domain?
Plesk had a direct option to do this from the front end, which was
taken out in newer versions of Plesk.

You can configure a .com alias to a subdomain by :
create a file in the subdomains conf directly like this:
# vi /var/www/vhost/

ServerAlias ""
ServerAlias ""

then rebuild apache config like:
# /opt/psa/admin/sbin/httpdmng --reconfigure-all

Named service failing in Plesk ?

Issue with named service :

When trying to restart named, you get an error stating some parameter is not given correctly in a zone file.

It would be a reverse PTR zone file with name something like this:

Open the zone file using vim ,

# vim /var/named/run-root/var/

When you check the file you can see a mis-configuration in a particular line
when compared with other lines. You can easily spot that with your naked eye.

Edit that misconfigured line (check how other lines are written ) and save it and restart
named service.

This is a bug which is seen in some older versions of Plesk.

Install SSL for a domain in Plesk

Note that for installing SSL certificate, the domain should be assigned a dedicated IP address.

Both setting up IP address and installing SSL certificate can be done from the Plesk panel. Steps to install certificate is as given:

– Log in to Parallels Plesk Panel.
– From the menu on the left, select Domains.
– Click on the domain name that the certificate is issued for.
– Click SSL Certificates.
– Click Browse and locate your signed SSL certificate.
– Select it, then select Send File. This uploads and installs the certificate against the corresponding private key.
– Click the name of the certificate.
– Open the certificate bundle in a text editor and copy and paste its contents into the box labeled CA Certificate.
– Click Send Text.


Find the source of Spamming – Plesk !!

Check how many messages are in the queue with Qmail

# /var/qmail/bin/qmail-qstat

If mail is being sent by an authorized user but not from the PHP script, you can run the command below to find the user that has sent the most messages :

// Note that you must have the ‘SMTP authorization’ activated on the server to see these records //

# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user |awk ‘{print $11}’ |sort |uniq -c |sort -n

The next step is to use “qmail-qread,” which can be used to read the message headers:

# /var/qmail/bin/qmail-qread

This shows the senders and recipients of messages. If the message contains too many recipients, probably this is spam. Now try to find this message in the queue by its ID
# find /var/qmail/queue/mess/ -name 2996948 ( <- Message ID )

Examine the message and find the line “Received” to find out from where it was sent for the first time. For example, if you find:

Received: (qmail 19514 invoked by uid 10003); 13 Sep 2005 17:48:22 +0700

It means that this message was sent via a CGI by user with UID 10003. Using this UID, it is possible to find the domain:

# grep 10003 /etc/passwd

Now, to determine from what folder the PHP script that sends mail was run :

Create a /var/qmail/bin/sendmail-wrapper script with the following content:

(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"

Create a log file /var/tmp/mail.send and grant it “a+rw” rights; make the wrapper executable; rename old sendmail; and link it to the new wrapper:
~# touch /var/tmp/mail.send
~# chmod a+rw /var/tmp/mail.send
~# chmod a+x /var/qmail/bin/sendmail-wrapper
~# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
~# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

Now wait for some time for logs to be generated, then :

~# rm -f /var/qmail/bin/sendmail
~# mv /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Examine the /var/tmp/mail.send file. There should be lines starting with “X-Additional-Header:” pointing to domain folders where the scripts                                      which sent the mail are located.

You can see all the folders from where mail PHP scripts were run with the following command:

~# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

# Another case of spamming

When checking the qmail maillogs (usr/local/psa/var/log/maillog) if we find something
similar to this :

Oct 8 00:17:00 xxxx smtp_auth: SMTP connect from (null)@(null) [xx.xx.xx.xx]
Oct 8 00:17:00 xxxx smtp_auth: smtp_auth: SMTP user xxxxx: logged in from (null)@(null) [xx.xx.xx.xx]

We can confirm that  spamming is being done by brute forcing Plesk
email passwords and then authenticating using base 64 encoding on the username.

The built in qmail logging cannot handle this encoding and as a result the logs will just show (null) instead of the username used.

From parallels forums : ... il-logging

The only solution would be to upgrade Plesk to a more stable version.


Configure log rotation in Plesk

Configuration of Log rotation of Plesk system logs >> /etc/psa/logrotate.conf 

Configuration of Log rotation of Domain logs >> /usr/local/psa/etc/logrotate.d/

You can also configure in the front end :

Select domains>>select the option “open in control panel” for any particular domain.
Look for the option advanced options towards the end and select log rotation.

Welcome to Plesk – The basics

Login to the Plesk control panel :
➡ http(s)://IP : port 8442 or 8443

Create domain from
➡ hosting services>>customers>>add new customers

Login to end user side of plesk
➡ hosting services>>domains>>click open in control panel

To create mail accounts
➡ mail>>create email address

To create ftp accounts
➡ websites and domains>>ftp access>>create additional ftp account

To upload file
➡ websites and domains>>file manager

To check the dns records
➡ websites and domains>>dns settings

To add subdomain, add-on-domain and parked domains
➡ websites & domains –> bottom you have options for adding new domain (you need to be reseller)
➡ add a new subdomain
➡ add a new domain alias which is same as parked domain
➡ In order to give addon domain give as new domain alias and create a vhost entry for it

To create mysql user and other database related stuffs
➡ websites & domain>>databases>>add new database
➡ once the db has been created the user can be created
➡ click on the db>>add new database user
➡ db can be managed by the web interface “webadmin” from tools which is similar to phpmyadmin in cpanel
to grant all privilages, select the user and set it default for the db

To add spf
➡ website & domain>>dns settings>>add record>> and record type as txt
now add txt record and update the setting

To set cronjob
➡ websites & domains>>show advanced operations>>scheduled tasks

Forwarding and spam filter
➡ mail>>either create or modify new email address
in that u see two tabs as “forwarding” and “spam filter”

To change the password
➡ users>>click on the users and change settings

To take backup
➡ websites & domains>>backup manager

Backend files

➡ Plesk root directory : /usr/local/psa
➡ Version : /usr/local/psa/version
➡ Admin password is stored : /etc/psa/.psa.shadow
➡ Plesk configuration file : /etc/psa/psa.conf
➡ Restart Plesk : /etc/rc.d/init.d/plesk restart
➡ Main httpd configuration file : /etc/httpd/conf/httpd.conf
➡ Plesk httpd : /etc/httpd/conf.d/zz010_psa_httpd.conf
➡ Include conf files are under : /etc/httpd/conf.d
➡ Startup script for plesk apache : /usr/local/psa/admin/bin/httpsdctl start
➡ Apache main log files under : /var/log/httpd
➡ Php configuration file : /etc/php.ini
➡ Php extension modules are taken from : /etc/php.d
➡ Named Conf file located : /var/named/run-root/etc/named.conf
➡ DB record : /var/named/run-root/var/
➡ Log file : /var/log/messages
➡ Service to restart : /etc/init.d/named restart
➡ FTP Conf file : /etc/proftpd.conf
➡ Databases are located at : /var/lib/mysql
➡ Configuration file : /etc/my.cnf
➡ Mysql log : /var/log/mysqld.log
➡ Location of qmail directory : /var/qmail
➡ Mail directory of a domain : /var/qmail/mailnames/
➡ Mail log : /var/log/maillog or /usr/local/psa/var/log/maillog
➡ Home directory : /var/www/vhosts/
➡ Document root directory of a domain : /var/www/vhosts/
➡ Document root directory of secure website : /var/www/vhosts/
➡ Subdomains are created under : /var/www/vhosts/
➡ Domain specific logs are under : /var/www/vhosts/

Protect your server from DDoS attacks – Part 1 !!

What is a DDoS attack ?

DDoS, short for Distributed Denial of Service, is a type of DOS attack where multiple compromised systems — which are usually infected with a Trojan (70% of the time)– are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.

In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address.

Honestly, it would be so difficult to protect against a DDoS attack. But we can follow some steps to make our servers more watchful against them.


CSF ( WHM default firewall ) can be fine tuned as follows :

ConfigServer Security & Firewall from WHM >> Firewall Configuration

Connection Tracking : This option enables tracking of all connections from IP
addresses to the server. If the total number of connections is greater than
this value then the offending IP address is blocked. This can be used to help
prevent some types of DOS attack.

Care should be taken with this option. It’s entirely possible that you will
see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
and HTTP so it could be quite easy to trigger, especially with a lot of
closed connections in TIME_WAIT. However, for a server that is prone to DOS
attacks this may be very useful. A reasonable setting for this option might
be around 300.

If you see your server is a bit on the slower side, check the number of connections to it using the following command.

# netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

As a preliminary step, block the IPs which doesn look valid and are offending ones using csf commands.

Another option is to go for the the MOD_EVASIVE module in the httpd configuration.

Mod_evasive is an evasive maneuvers module for Apache to provide evasive
action in the event of an HTTP DoS or DDoS attack or brute force attack.
It is also designed to be a detection tool and can be easily configured to talk
to ipchains, firewalls.

Mod_evasive have got many many options to gun down our requirements to handle the
IPs connecting to our server.

Steps to install mod_evasive is given below :

# cd /usr/local/src/

# wget wpcontent/uploads/2010/02/mod_evasive_1.10.1.tar.gz

# tar -xvzf mod_evasive_1.10.1.tar.gz

# cd mod_evasive/

# /usr/local/apache/bin/apxs -cia mod_evasive20.c

Now create a file named /usr/local/apache/conf/mod_evasive.conf and add your custom settings.

For eg :

# cat /usr/local/apache/conf/mod_evasive.conf

LoadModule evasive20_module modules/
<IfModule mod_evasive20.c>

DOSHashTableSize 3097

((The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server. The value you specify will automatically be tiered up to the next prime number in the primes list))

DOSPageCount 2

((This is the threshhold for the number of requests for the same page (or URI) per page interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list))

DOSSiteCount 50

((This is the threshhold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list))

DOSPageInterval 1

((The interval for the page count threshhold; defaults to 1 second intervals))

DOSSiteInterval 1

((The interval for the site count threshhold; defaults to 1 second intervals))

DOSBlockingPeriod 10

((The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset))


Now include the above file inside /usr/local/apache/conf/includes/pre_main_global.conf

Include “/usr/local/apache/conf/mod_evasive.conf

Now rebuild httpd.conf
# /scripts/rebuildhttpdconf

Now restart apache
# /scripts/restartsrv httpd

Steps in hardening your mail service :

Some of the things which can be done from WHM to harden your mail service :

From WHM Main >> Server Configuration >> Tweak Settings:
* POP3 connection limit option prevents lots of POP3 connections.
* POP3 flood prevention option.
* Prevent “nobody” from sending mail : This will ensure that PHP
scripts user the ownership of user “nobody” will not be able send any mails.
* In service manager you can find the option “antirelay” . Turn
this off so that each time POP3 connects authentication would be required.


Try to use Secure protocols and related ports

POP3S 995

These are just basics in hardening the mail system. More ones to follow……

404 Not found error along with the original 404 error_document ?

Issue is, do you get an additional 404 Not Found error when trying to access a non-existent file which should actually be redirected to an ErrorDocument.

For eg, when I try to access the following (noactualfile) :
Not Found

The requested URL /~joelta/noactualfile was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

How to remove the above error log for the error document ?

Fix : Use the following lines in the .htaccess of the domains in question


ErrorDocument 400 default
ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 410 default
ErrorDocument 500 default



Not able to unpark a domain from WHM ?

Issue : A domain created as parked from cPanel can be deleted from cPanel, but fails to be unparked from WHM, with the following error message shown :

“The system cannot determine the base domain site cpanel”

Reason : On checking, we can see that the parked domain does not have any entry in DNS records nor in httpd config

Solution : # /scripts/upcp –force , it would update and fix any issue at cpanel for which DNS is found missing for park domains

Receving email to upgrade WP-scripts ?

An email notifying to update WP-scripts is shown to be directed to the server contact email id.

It would look like this :
Subject: Software Security Notice – Script Installs need upgrading

In order to protect the security of your users’ website, we recommend that you upgrade the following scripts that were installed via the “Scripts Library” in your cPanel interface:

Issue: If the user removed the script by deleting the directory
it was installed into, he probably did not remove the database.

Fix :
# ls /home/*/.cpaddon
# ls /home/*/.cpaddons
# ls -al /home/xxx/.cpaddons
# ls -al /home/xxx/.cpaddons -h
# cat /home/xxx/.cpaddons/cPanel::Blogs::WordPress.0.yaml ((whichever script is mentioned))
# rm -rf /home/xxx/.cpaddons/cPanel::Blogs::WordPress.0.yaml


Facing SSL error ?


The above warning might show up each time when any of cPanel services are used.
This is because cPanel / Webmail is configured to work by the server’s shared / self-signed SSL
This is not a security problem and you can safely disregard it.

To get around this issue though, either accept the certificates and tell your browser to ignore the warnings, or purchase an SSL certificate that is mapped to your main server hostname and then assign that certificate to all of the cPanel services.


cPanel cheatsheet !!

  • Set the correct ownership for files under an account # /scripts/chownpublichtmls
  • Update cPanel # /scripts/upcp
  • Fix the cPanel license issue # /usr/local/cpanel/cpkeyclt
  • Check the current Apache PHP Handler # /usr/local/cpanel/bin/rebuild_phpconf --current
  • Set the PHP Handler to DSO # /usr/local/cpanel/bin/rebuild_phpconf 5 none dso 1
  • Set the PHP Handler to suPHP # /usr/local/cpanel/bin/rebuild_phpconf 5 none suphp 1
  • Set the PHP Handler to cgi # /usr/local/cpanel/bin/rebuild_phpconf 5 none cgi 1
  • Check the cPanel version # /usr/local/cpanel/cpanel -V
  • Delete an account # /scripts/killacct 'accountname'
  • Information about main domains as well as sub domains # /etc/userdomains
  • Information about main domains and not sub domains # /etc/trueuserdomains
  • Information about reseller accounts # /var/cpanel/mainaccountname.accts
  • List the modules compiled with PHP # php -m
  • Check the path of the global configuration file # php -i |grep php.ini
  • Install the module imagemagick # /scripts/installimagemagick
  • EasyApace logs # /usr/local/cpanel/logs/easy/apache/build..
  • Inspecting the load in server # /var/log/dcpumon/toplog*
  • Inspecting specific domain connections # /usr/local/apache/domlogs/domain
  • Find connections to web-server # lynx http://localhost/whm-server-status
  • Tweak settings in WHM, backend file # cat /var/cpanel/cpanel.config
  • If changes are made from backend for the above file, run # /usr/local/cpanel/whostmgr/bin/whostmgr2 –updatetweaksettings
  • Check cPanel product version from # cat /etc/cpupdate.conf
  • Create email accounts from backend # /scripts/addpop
  • Setting catchall and forwarders for a domain in # vim /etc/valiases/domain
  • Setting email filters # vim /etc/vfilters/domain
  • Account creation defaults can be seen from # cat etc/wwwacct.conf
  • Root owned domains # cat /var/cpanel/root.accts
  • Reseller accounts information # cat /var/cpanel/username.accts

MySQL upgrade from WHM or script failed ?

When trying to upgrade MySQL server from WHM or via script,

# /scripts/mysqlup –force,

Do you face the below error message?


-bash-3.00# /scripts/mysqlup –force
Failed to download
Failed to install mysql51.


Reason : In this particular scenario, if you analyze the logs, we can find that there is some issue with the rpm file to be fetched. If you observe the link from which the update is trying to fetch the required rpms we can see that the link actually doesnt point to a valid page. If you manually try to access the above link via a web-browser this results in ‘Not Found’. In the link, you can see a keyword ‘unknown’ in the space allocated for rpm distribution version.

Fix : Change the wrongly specified rpm_dist_version.

Change it from /var/cpanel/sysinfo.config. Change the “rpm_dist_ver” to point
the current centOS version, that is 4 or 5.

Then proceed with upgrading process.

This can be an issue not only during MySQL upgrade, rather when any upgrade relating
with the use of RPM’s is specified. ( eg : Pure-FTPd )

Facing issues to PHP after installing ionCube loader ?

After installing ionCube loader via EasyApache or using the script,
# /scripts/phpextensionmgr install IonCubeLoader

Do you face any issues with PHP?

Do you get the following error message when you tried to check the version of PHP using the command, # php -V :

The ionCube PHP Loader is disabled because of startup problems. Segmentation fault

Reason : Usually happens due to double entries in the php.ini file (/usr/lib/php.ini)

Remove one line or comment one line,


Can remove ionCube by running the following script :

# /scripts/phpextensionmgr uninstall IonCubeLoader

Wish to remove fantastico?

Do you want to remove fantastico and its services from your server?

Unfortunately, no easy method to remove it from front-end.

SSH to the server and issue the following commands.

# rm -rf /var/netenberg/
# rm -rf /usr/local/cpanel/whostmgr/docroot/cgi/fantastico/
# rm -rf /usr/local/cpanel/3rdparty/fantastico*
# rm -rf /usr/local/cpanel/base/frontend/*/fantastico
# rm -f /usr/local/cpanel/base/frontend/x/cells/fantastico.html
# rm -f /usr/local/cpanel/whostmgr/docroot/cgi/addon_fantastico.cgi

After removing fantastico from the server, does any of the cPanel accounts shows the fantastico icon ?

You can remove it by doing the following :
From the backend, go to /var/cpanel/registered_cpanelplugins 
and delete the line corresponding to “Fantastico_De_Luxe”

WHM->Packages->Feature Manager, remove the fantastico check box


Databases missing in cPanel, found in phpmyadmin !!

A weird situation is when you can see the databases, its tables and so on from phpmyadmin of the concerned cPanel account, but is actually found missing under the ‘Databases’ section.

Reason : This issue occurs due to the lack of mapping of databases 

# /usr/local/cpanel/bin/setupdbmap